Coronavirus Cybercrime Scaling Up
2nd April, 2020
Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. This post covers some of the trends Netcraft has observed since our previous post on the topic.
Coronavirus certificates
Analysis of certificate transparency logs for new certificates covering hostnames containing keywords “COVID” and “Coronavirus” shows increasing numbers of certificates are being issued for Coronavirus-themed hostnames.
Whilst some of the certificates included in the graph will be being used for legitimate purposes, many certificates – particularly those which have been registered since the outbreak started – are being used to spread disinformation, host fake shops and pharmacies, serve phishing websites and to disseminate malware.
Coronavirus Cybercrime
27th March, 2020
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises. Coronavirus-themed cybercrime accounts for around 5% of all the attacks we perform countermeasures against, even without accounting for attacks that may otherwise be attributed to existing phishing targets.
Coronavirus Phishing attack impersonating the World Health Organisation
March 2020 Web Server Survey
20th March, 2020
In the March 2020 survey we received responses from 1,263,025,546 sites across 257,194,796 unique domains and 9,659,223 web-facing computers. This reflects a gain of 94,300 computers, 2.12 million sites and 3.00 million domains.
Microsoft and nginx both saw increases in the total number of domains in March 2020, with nginx gaining 4.84 million domains (+7.2%) and increasing its market share by 1.6 percentage points to 28.1%. Microsoft gained 215,000 domains, though this was not substantial enough to avoid losing market share to nginx.
nginx’s sharp increase saw it overtake Apache in terms of domain market share for the first time, with a marginal lead of 136,000 domains. However Apache continues to lead nginx by a considerable amount in terms of active sites —despite losing 225,000 active sites this month, Apache maintains an 8.21 percentage point lead in market share over nginx. Apache also leads in terms of web-facing computers, though with only 3.17 percentage points separating them from nginx.
Several server vendors which hold a lower market share saw mixed results this month. Google lost 115,000 domains but gained 510,000 active sites, while Oracle lost 27,800 domains and 22,200 active sites. Both hold less than one percent of domain market share, with Google claiming 0.87% (-0.06 percentage points), and Oracle holding 0.22% (-0.01 percentage points).
After having gained almost 2 million domains every month since December, Cloudflare’s rapid growth slowed this month with a gain of only 714,929 domains. Cloudflare power their content delivery network with their own server software, originally based on nginx , which accounted for 9.31% of observed domains.
Vendor News
NGINX released several new versions of its products this month. The nginx web server was updated to 1.17.9 with several small changes and bug fixes, one of which is related to HTTP/2 support. The company’s dynamic application server NGINX Unit was updated to 1.16.0, adding functionality which allows more configurable round-robin load balancing.
LiteSpeed Technologies released version 5.4.6 of their LiteSpeed Web Server . This release adds support for the latest draft specification of HTTP/3, which itself was published in mid-February. The release also hardens the server’s default TLS configuration by disabling support for TLS 1.1 unless enabled by the user.
Apache also released versions 8.5.53, 9.0.33, and 10.0.0-M3 of Apache Tomcat, which include several small feature updates and bug fixes.
| Developer | February 2020 | Percent | March 2020 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 459,966,569 | 36.48% | 473,308,955 | 37.47% | 1.00 |
| Apache | 309,061,300 | 24.51% | 306,114,673 | 24.24% | -0.27 |
| Microsoft | 179,225,073 | 14.21% | 170,567,386 | 13.50% | -0.71 |
| 40,120,733 | 3.18% | 41,227,959 | 3.26% | 0.08 |
Browsers on track to block 850,000 TLS 1.0 sites
3rd March, 2020
More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks , governments , news , and telecoms companies. Big and small alike, such websites are about to be derailed by full-page browser warnings, with the added prospect of getting blocked entirely later on.
This all comes despite more than a year’s notice. Back in late 2018, the four largest browser vendors — Mozilla , Google , Apple , and Microsoft — jointly announced the deprecation of TLS 1.0 and 1.1, with support to be removed from their browsers in March 2020 or shortly thereafter. But a number of notable sites have not heeded these warnings, and have so far failed to switch to a version of TLS more modern than 1.0.
Firefox Nightly and Beta have already removed support for TLS 1.0 and TLS 1.1 and show a full-page interstitial warning, although they currently allow users to bypass it and to continue accessing the affected website.
Included in the list is Huawei , which is already under fire for its less than reassuring security practices. But it’s not just Huawei that’s letting TLS 1.0-only servers slip through the cracks — the UK’s largest mobile network, O2, uses a TLS 1.0-based redirect services on https://o2.co.uk . Governmental websites are also no exception, including the South Africa Justice department, justice.gov.za , and the California Tax Service Center, taxes.ca.gov . Usage of TLS 1.0 is also particularly prevalent on less popular sites or internal services — places where browser security warnings may go unnoticed for some time.
Most Reliable Hosting Company Sites in February 2020
3rd March, 2020
| Rank | Performance Graph | OS | Outage hh:mm:ss |
Failed Req% |
DNS | Connect | First byte |
Total |
|---|---|---|---|---|---|---|---|---|
| 1 | www.choopa.com | Linux | 0:00:00 | 0.000 | 0.249 | 0.004 | 0.020 | 0.020 |
| 2 | GoDaddy.com Inc | Linux | 0:00:00 | 0.000 | 0.404 | 0.006 | 0.031 | 0.032 |
| 3 | Rackspace | Linux | 0:00:00 | 0.000 | 0.470 | 0.008 | 0.019 | 0.019 |
| 4 | New York Internet (NYI) | FreeBSD | 0:00:00 | 0.000 | 0.548 | 0.054 | 0.108 | 0.108 |
| 5 | Webair | Linux | 0:00:00 | 0.000 | 0.321 | 0.071 | 0.141 | 0.142 |
| 6 | CWCS Managed Hosting | Linux | 0:00:00 | 0.000 | 0.315 | 0.079 | 0.160 | 0.160 |
| 7 | EveryCity | SmartOS | 0:00:00 | 0.000 | 0.240 | 0.080 | 0.161 | 0.161 |
| 8 | Swishmail | FreeBSD | 0:00:00 | 0.000 | 0.238 | 0.082 | 0.163 | 0.163 |
| 9 | ServerStack | Linux | 0:00:00 | 0.000 | 0.235 | 0.083 | 0.166 | 0.166 |
| 10 | www.flexential.com | Linux | 0:00:00 | 0.000 | 0.188 | 0.087 | 0.177 | 0.510 |
In February 2020 Choopa.com had the most reliable hosting company site. This month, all 10 of the top 10 hosting company sites responded to all of Netcraft's requests and so were separated by average connection time. Choopa.com provides cloud hosting, dedicated servers, colocation and managed services from its primary data centre in Piscataway, New Jersey, and also has facilities in Los Angeles, Amsterdam and Tokyo.
February 2020 Web Server Survey
20th February, 2020
In the February 2020 survey we received responses from 1,260,909,305 sites across 254,192,929 unique domains and 9,564,965 web-facing computers. This reflects a loss of 35.1 million sites and 11,900 computers, but a gain of 4.57 million domains.
The largest swings this month were seen for nginx. Despite losing 28.7 million sites and 64,500 web-facing computers, nginx excelled in other metrics this month, including a 3.06 million increase in unique domain count and a 675,000 increase in active sites count, building upon its rapid growth from last month.
Apache increased its share of the sites market this month by 0.53 percentage points, owed largely to the aforementioned drop in sites for nginx. This comes despite a drop of 1.77 million sites for Apache. Apache also lost 187,000 domains and 97,500 active sites this month. Apache did, however, gain an extra 6,400 web-facing computers. Apache is presently the most commonly used web server in terms of domains, active sites, and computers, and also has the greatest portion of the top one million busiest sites. The only metric in which it is currently beaten is the relatively unstable total count of sites (hostnames), for which nginx currently holds first place.
Microsoft saw modest growth in its counts of active sites (+193,000), web-facing computers (+9,890), and domains (+536,000). Microsoft saw a reduction of 2.65 million sites, but, like Apache, was left with an increase in its market share overall.
Vendor News
Apache released versions 7.0.100, 8.5.51, and 9.0.31 of its Tomcat Java Servlet software. The updates, which are largely the same across the major versions, include fixes, improvements, and some refactoring. Coyote, the HTTP connector component of Apache Tomcat, was found serving around 325,000 domains this month.
NGINX released an update for NGINX Unit , their open source dynamic application server, adding support for Ruby 2.7 and addressing a number of bugs.
| Developer | January 2020 | Percent | February 2020 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 488,628,547 | 37.70% | 459,966,569 | 36.48% | -1.22 |
| Apache | 310,833,084 | 23.98% | 309,061,300 | 24.51% | 0.53 |
| Microsoft | 181,873,181 | 14.03% | 179,225,073 | 14.21% | 0.18 |
| 39,081,956 | 3.02% | 40,120,733 | 3.18% | 0.17 |